Rule#1 with AOS8 - Always deploy with an MM, otherwise you will be scrambling figuring out what does not work without an MM (like clustering,Airmatch, EDIT centralized configuration).
The answer to generating a CSR is always "Do it offline". If you do it on a specific controller, you can only upload the certificate to that specific controller. If you generate a CSR offline with OpenSSL you can upload the resulting certificate to as many controllers as you want.
You do not require a DNS record in your infrastructure, because when you upload the certificate to the controller, it reads the fqdn, intercepts all DNS requests for that fqdn and answers with the local controller's ip address. If you optionally upload custom HTML to the controller, you would simply have to reference the fqdn of the certificate in the "submit" and the client will always be redirected back to the ip address of the local controller for authentication.
If you had an MM, you would simply upload the certificate by going to
Configuration> System> Certificates> Import Certificates and click the + sign. You would then upload with certificate type of "ServerCert". Make sure your context is as high as it can be in the heirarchy. If you don't have an MM, since there is no sync, you would have to do it on one controller and then the other. If you had an MM, all the controllers that are at or under that folder in the heirarchy will automatically obtain and install the certificate (see what is going on here?). You would not have to do anything at the node level.
To answer generally, the node level is for very specific things like ip addresses and interface configuration. Many organizations deploy with their interfaces in the same configuration, with an MM, so they have to do little if any node-specific configuration.